RE: [nsp] BCP for LD Security

From: Edward S. Desouza (edward_desouza@yahoo.com)
Date: Fri Mar 09 2001 - 01:01:18 EST

Next message: Dmitri Kalintsev: "[nsp] MPLS over dot1 trunk question"
Previous message: Andrew: "Re: [nsp] dot1q/isl "encapsulation failed""
In reply to: F. David Sinn: "RE: [nsp] BCP for LD Security"
Next in thread: F. David Sinn: "RE: [nsp] BCP for LD Security"
Reply: F. David Sinn: "RE: [nsp] BCP for LD Security"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

Do you think it is needed to have a firewall in front
of my LD ? I dont have any ports besides 80 open .
Also, I presume that the IDS blade on the 6500 will be
able to intercept streaming attacks ?

Rgds,

Edward
--- "F. David Sinn" <dsinn@dsinn.seanet.com> wrote:
> As to question #2, you can't have a firewall
> directly behind the LD. You
> would have to implement a firewall between the
> 6500's and your servers if
> you intend to keep ASLB.
>
> ASLB works by the 6500 learning about the balancing
> decision from the LD and
> then doing the packet changes itself. Once the ASLB
> cache has been made,
> the LD is no longer in the loop, and thus if you had
> a firewall directly
> behind the LD it would not be in the loop either.
>
> It would probably just be simpler to place your
> firewall ahead of the LD.
>
> David
> -----Original Message-----
> From: Edward Desouza
> [mailto:edward_desouza@yahoo.com]
> Sent: Thursday, March 08, 2001 9:41 AM
> To: cisco-nsp@puck.nether.net
> Subject: [nsp] BCP for LD Security
>
>
> Hi,
> This question is addresses to all the security
> gurus out there:
>
>
> 1. I have 2 front end web servers
> 2. I am using a cisco ld 430 for load balancing
> 3. The Two Web Servers are conected to a 6509 switch
> in conjuction with the
> LD offers ASLB ( accelerated server Load Balancing )
> 4. I am using a IDS blade on the 6509
> 5. The front end web servers are on private address
> space ( the LD is doing
> a NAT functionality )
>
> My question is as follows :
>
> 1. Since the LD is listening only on port 80 on a
> valid IP, do I need a
> firewall in front of my LD ? Can the IDS blade on
> the 6509 prevent against
> streaming attacks ?
>
> 2. If I dont need a firewall in front of the LD, can
> a firewall be placed
> behind the LD ? From the CISCO docs on ASLB, the
> backend servers and the
> Vlaid IPs have to be on two VLANS. If I introduce a
> firewall beind the LD
> this requirement is violated.
>
> I need to know what is a Best Common Practise when
> deploying a CISCO LD with
> a firewall.
>
>
> Rgds,
>
> Edward
>

=====
Edward S. Desouza
23/24 Manali 5,
Evershine Nagar,
Malad (W),
Bombay 400064.
Tel :9122-8886362

__________________________________________________
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail.
http://personal.mail.yahoo.com/

Next message: Dmitri Kalintsev: "[nsp] MPLS over dot1 trunk question"
Previous message: Andrew: "Re: [nsp] dot1q/isl "encapsulation failed""
In reply to: F. David Sinn: "RE: [nsp] BCP for LD Security"
Next in thread: F. David Sinn: "RE: [nsp] BCP for LD Security"
Reply: F. David Sinn: "RE: [nsp] BCP for LD Security"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:31 EDT